1497 matches found
CVE-2026-11777 Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...
WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.11 - Authenticated (Administrator+) SQL Injection vulnerability
Authenticated Administrator+ SQL Injection vulnerability discovered by s1kr10s - Nayrox in WordPress Plugin Tutor LMS versions = 3.9.11...
Bosch Security Systems IP Cameras Uncontrolled Resource Consumption (CVE-2021-23852)
An authenticated attacker with administrator rights Bosch IP cameras can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service DoS. This plugin only works with Tenable.ot. Please visit...
Bosch Security Systems IP Cameras Improper Input Validation (CVE-2023-39509)
A command injection vulnerability exists in Bosch IP cameras that allows an authenticated user with administrative rights to run arbitrary commands on the OS of the camera. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information...
BIT-DISCOURSE-2026-45775 Discourse: Cross-site backup access via path traversal in multisite local backups
Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.4, 2026.3.0 to before 2026.3.1, and 2026.4.0 to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a multisite deployment to...
CVE-2026-49954 Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory
Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigg...
CVE-2026-49954
Discuz! X5.0 (versions 20260320–20260610) is affected by a Local File Inclusion in the enable_disable.php Plugin Directory, exploitable by authenticated administrators. The vulnerability stems from importing a crafted plugin configuration that uses path traversal in the directory attribute; an ex...
PT-2026-49298
Name of the Vulnerable Software and Affected Versions RuoYi version 4.8.2 Description An issue in the code generation module allows an authenticated attacker with administrative privileges to access sensitive database information. This is possible through a SQL Injection in the...
CVE-2026-45775
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a...
CVE-2026-45775
Discourse, a multi-site capable open-source discussion platform, has a path traversal vulnerability in its backup handling that could let an authenticated administrator on one site access backup files from another site on the same host. Affected version ranges include 2026.1.0-latest up to before...
CVE-2026-47366
Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...
CVE-2026-47366
Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...
CVE-2026-47366
CVE-2026-47366 describes an improper verification of access permissions in the Administration Control Panel . An authenticated administrator could modify permissions and grant rights beyond their authorized level, resulting in privilege escalation within the administrative interface. The document...
PT-2026-48986
Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0-latest through 2026.1.3 Discourse versions 2026.3.0-latest through 2026.3.0 Discourse versions 2026.4.0-latest through 2026.4.0 Description A path traversal issue exists in the backup handling of this open-source...
CVE-2026-46489
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...
EUVD-2026-36303
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...
CVE-2026-46489
SolidInvoice (open-source invoicing platform) contains CVE-2026-46489: before version 2.3.17, the logo upload feature accepts any file type without validation, allowing an authenticated administrator to upload an SVG containing embedded JavaScript. The script is base64-encoded and injected unesca...
EUVD-2026-36134
A cross-site scripting XSS vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama virtual and...
EUVD-2026-36149
A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI. The security risk posed...
SolidInvoice 跨站脚本漏洞
SolidInvoice is an open-source invoice processing application developed by SolidInvoice. Versions of SolidInvoice prior to 2.3.17 contained a cross-site scripting vulnerability. This vulnerability stemmed from the company logo upload feature not verifying file types. As a result, authenticated...